Gateway-to-gateway configurations

Leave a reply

Define the security policies

security policies control all IP traffic passing between a source address and a destination address. For a route- based VPN, the policies are simpler than for a policy-based VPN. Instead of an IPSEC policy, you use an ACCEPT policy with the virtual IPsec interface as the external interface.

 

Before you define security policies, you must first define firewall addresses to use in those policies. You need addresses for:

  • The HR network behind FortiGate_1
  • The aggregate subnet address for the protected networks

 

To define the IP address of the HR network behind FortiGate_1

1. Go to Policy & Objects > Addresses.

2. Select Create New, enter the following information, and select OK:

Name                                           Enter an address name (for example, HR_Network).

Type                                            Subnet

Subnet/IP Range                       Enter the IP address of the HR network behind FortiGate_1 (for example, 10.1.0.0/24).

 

To specify the IP address the aggregate protected subnet

1. Go to Policy & Objects > Addresses.

2. Select Create New, enter the following information, and select OK:

Address Name                           Enter an address name (for example, Spoke_net).

Type                                            Subnet

Subnet/IP Range                       Enter the IP address of the aggregate protected network, 10.1.0.0/16

 

To define the security policy for traffic from the hub to the spokes

1. Go to Policy & Objects > IPv4 Policy and select Create New,

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter the following information, and select OK:

Incoming Interface                   Select the interface to the HR network, port 1.

Source Address                        Select HR_Network.

Outgoing Interface                   Select the virtual IPsec interface that connects to the spokes, toSpokes.

Destination Address                 Select Spoke_net.

Action                                         Select ACCEPT.

Place the policy in the policy list above any other policies having similar source and destination addresses.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
This entry was posted in FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.